3 things you need to know about CMMC

The Cybersecurity Maturity Model Certification program (CMMC) is official as of Dec. 16, 2024. What does this mean for most defense contractors? Here are the three most important things to focus on now:

• Understanding the regulations
• Timeline for compliance
• How to obtain a CMMC certification

Understanding 32 CFR and 48 CFR

The 32 CFR part 170 and 48 CFR together mandate CMMC. The 32 CFR part 170 defines the program, the requirements CMMC Third-Party Assessor Organizations (C3PAOs) must follow, and the requirements organizations in the Defense Industrial Base (DIB) must meet. This is what was published Dec. 16, 2024.

The 48 CFR update is expected in Q2 2025. The 48 CFR contains the updates to the Defense Federal Acquisition Regulation Supplement (DFARS), which creates the contractual requirement for all DIB contractors with Controlled Unclassified Information (CUI) to implement CMMC as laid out in 32 CFR part 170. All contracts

containing CUI will be required to include these clauses in the next couple of years.

Timeline for compliance

The phases below indicate when the government must incorporate these clauses into contracts. The exception is large prime contractors, who must affirm that their supply chains are compliant by Phase 3. These primes will be looking for their subcontractors and suppliers to comply sooner than the Department of Defense (DOD) timeline.

Phase 1: Begins when 48 CFR is published; requires all level 1 and level 2 contractors to self-attest on all applicable contracts as a condition of the contract award

Phase 2: Projected to start around mid-2026; requires third-party assessments of select level 2 DOD solicitations and contracts as a condition of the contract award

Phase 3: Should roll out in the summer of 2027; third-party assessments will be required for all level 2 and 3 contractors as a condition of the contract award

Phase 4: The final phase will roll out in 2028; will require third-party assessments for all level 2 and 3 contractors as a condition of the contract award and all options for existing contracts.

The deadline for most contractors to be compliant and have a third-party assessment is 2028. The average organization requires 12 to 18 months to implement CMMC and be ready for the third-party assessment, so starting now is crucial. CMMC ensures the controls are implemented, but, more importantly, the systems, policies, processes, and procedures are in place to guarantee continued compliance.

How to obtain a CMMC certification

After implementing CMMC, schedule your assessment with a C3PAO like Smithers. I recommend engaging with your C3PAO early in the implementation phase. The number of CMMC C3PAOs and Certified CMMC Assessors (CCA) is increasing, but availability is becoming an issue due to demand. Your C3PAO will be able to help define the scope, duration, and timeline for your certification assessment. More importantly, they’ll be able to plan and align the right assessment team to your needs, ensuring you’re ready to execute the contracts and options. Smithers encourages scheduling an introductory meeting with organizations to review this information at least 12 months before the assessment is required.

Questions?

What questions do you have about CMMC and how it’ll impact your organization? Whether you want to discuss your questions or you’re ready to schedule your assessment, I’m always happy to meet with companies in the DIB.

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division.

https://calendly.com/robert-mcvay/defense-munitions-meeting-15-min

Smithers
https://www.smithers.com